Ask Your Question
0

Security group no effect in r1215

asked 2011-06-28 11:43:20 -0500

tonytkdk gravatar image

As title ...

I did not set any security group rule ....but still can access instance with any port.

While I set only icmp and ssh port for instance....Why that I can access the http service in instance from other host????

I want to verify it...

edit retag flag offensive close merge delete

7 answers

Sort by ยป oldest newest most voted
0

answered 2011-08-17 19:55:39 -0500

everett-toews gravatar image

Hi Hugo,

We've actually run into the same problem. Did you ever track down the cause?

When I examine the iptables on the compute node everything seems to be in place but you can still access services from a local machine on ports that are not authorized.

Everett

edit flag offensive delete link more
0

answered 2011-08-17 20:01:55 -0500

soren gravatar image

Can either of you provide the output of "sudo iptables-save"?

edit flag offensive delete link more
0

answered 2011-08-17 20:14:50 -0500

vishvananda gravatar image

With current trunk, try --noallow_same_net_traffic

Vish

On Aug 17, 2011, at 12:55 PM, Everett Toews wrote:

Question #163006 on OpenStack Compute (nova) changed: https://answers.launchpad.net/nova/+q...

Status: Open => Needs information

Everett Toews requested more information: Hi Hugo,

We've actually run into the same problem. Did you ever track down the cause?

When I examine the iptables on the compute node everything seems to be in place but you can still access services from a local machine on ports that are not authorized.

Everett


You received this question notification because you are a member of Nova Core, which is an answer contact for OpenStack Compute (nova).

edit flag offensive delete link more
0

answered 2011-08-17 20:29:41 -0500

everett-toews gravatar image

http://pastie.org/2387712

The instance in question is nova-compute-inst-1271.

euca-describe-groups GROUP toews default default PERMISSION toews default ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0 PERMISSION toews default ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0 PERMISSION toews default ALLOWS icmp -1 -1 FROM CIDR 0.0.0.0/0 PERMISSION toews default ALLOWS tcp 3389 3389 FROM CIDR 0.0.0.0/0 PERMISSION toews default ALLOWS udp 3389 3389 FROM CIDR 0.0.0.0/0

Steps:

  1. Run instance and associate floating IP
  2. ssh to instance
  3. Add port 200 and tcp to the /etc/services file on the instance.
  4. sudo nc -l 200
  5. From local machine: telnet <floating ip=""> 200

A connection is made to the instance on port 200 from my local machine. Anything typed into the telnet session appears on the instance.

Everett

On Wed, Aug 17, 2011 at 2:05 PM, Soren Hansen < question163006@answers.launchpad.net > wrote:

Question #163006 on OpenStack Compute (nova) changed: https://answers.launchpad.net/nova/+question/163006 (https://answers.launchpad.net/nova/+q...)

Status: Needs information => Answered

Soren Hansen proposed the following answer: Can either of you provide the output of "sudo iptables-save"?


You received this question notification because you are a direct subscriber of the question.

edit flag offensive delete link more
0

answered 2011-08-17 20:48:57 -0500

everett-toews gravatar image

I see that the description of allow_same_net_traffic is

"Whether to allow network traffic from same network"

So, even though we're using Cactus, do you think this flag would help?

I'm accessing the instance from my local machine, which is on a completely different network anyway.

Everett

On Wed, Aug 17, 2011 at 2:25 PM, Vish Ishaya < question163006@answers.launchpad.net > wrote:

Question #163006 on OpenStack Compute (nova) changed: https://answers.launchpad.net/nova/+question/163006 (https://answers.launchpad.net/nova/+q...)

Vish Ishaya proposed the following answer: With current trunk, try --noallow_same_net_traffic

Vish

On Aug 17, 2011, at 12:55 PM, Everett Toews wrote:

Question #163006 on OpenStack Compute (nova) changed: https://answers.launchpad.net/nova/+question/163006 (https://answers.launchpad.net/nova/+q...)

Status: Open => Needs information

Everett Toews requested more information: Hi Hugo,

We've actually run into the same problem. Did you ever track down the cause?

When I examine the iptables on the compute node everything seems to be in place but you can still access services from a local machine on ports that are not authorized.

Everett


You received this question notification because you are a member of Nova Core, which is an answer contact for OpenStack Compute (nova).


You received this question notification because you are a direct subscriber of the question.

edit flag offensive delete link more
0

answered 2011-08-18 19:21:42 -0500

everett-toews gravatar image

@soren

Did you have a chance to look at this? Any thoughts?

Thanks, Everett

On Wed, Aug 17, 2011 at 2:05 PM, Soren Hansen < question163006@answers.launchpad.net > wrote:

Question #163006 on OpenStack Compute (nova) changed: https://answers.launchpad.net/nova/+question/163006 (https://answers.launchpad.net/nova/+q...)

Status: Needs information => Answered

Soren Hansen proposed the following answer: Can either of you provide the output of "sudo iptables-save"?


You received this question notification because you are a direct subscriber of the question.

edit flag offensive delete link more
0

answered 2011-08-25 20:45:57 -0500

everett-toews gravatar image

The root of this problem is actually because all traffic appears to be coming from the default gateway of the VM, see Determining remote IP from within VM [https://answers.launchpad.net/nova/+question/168570].

The solution to that problem fixed this problem as well.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2011-06-28 11:43:20 -0500

Seen: 17 times

Last updated: Aug 25 '11